A federal appeals court has ruled it improper to compel a child pornography suspect to decrypt his hard drive because such an act would violate his Fifth Amendment rights.
The ruling (PDF) by the Atlanta-based US 11th Circuit Court of Appeals in the case of an unnamed suspect from Florida (known in court papers as "John Doe") …

Re: The only difference between the Florida and Colorado cases...

Re: The only difference between the Florida and Colorado cases...

My understanding of the Colorado case is that the accused freely admitted (to a jailhouse informant) that there were incriminating files on her encrypted drive.

Because of this (underreported) feature of the case, the judge has taken the stance that her 5th amendment rights do not apply because she has _already_ self-incriminated, and now she's merely being compelled to metaphorically open the door to the room she herself said the incriminating evidence is in.

Not sure I agree with the interpretation myself: if they feel the "evidence" of self-incrimination was already strong enough, would they even need the encrypted files? Kinda feels like they know they have some crappy evidence, but they really really want a silver bullet, and they think she's the best person to provide it, i.e. she should self-incriminate. Mind you, I'm not a sitting US judge, only a bepipetacled armchair detective.

you get out the laser cutter

Re: you get out the laser cutter

Or better yet, what happens if I have a combination lock on the door to my meth lab house? Can the police still get a search warrant, bust the door down and arrest me? To take the analogy to the furthest extreme, they must make really, REALLY big safes. So can I buy one and live in it? And put my meth lab in it? Assume I do all of the smart things that would make it livable involving gas masks, oxygen, and anything else I can't think of, but that would keep the safe analogy perfect and me living and breathing inside of it.

Can they cut/blow/melt/whatever it open? I had never heard that you don't have to supply a combination lock and it sounds like an ugly precedent. And the same goes for passwords on encrypted hard drives. Every product we consume or create can be stored in a safe or hard drive, so unless authorites catch them *in the act* of doing something illegal, intelligent criminals will never get caught.

If they *can* get inside via brute force, then I assume the same goes for an encrypted drive, but the difference is that it only takes a few hours/days (probably?) to get into a safe, while it can take hundreds of years to crack even the simplest of passwords. So now I'll just make the walls of my safe arbitrarily thick (300 feet maybe?). The door takes an hour to open, but it takes a lot more time and resources to cut through.

And this one might be a stretch, but if they guy stored media on his drives that he created, cracking the password (or any attempt to cirumvent the protection measures) would violate the DMCA, right? I hate law. Situations like this always make me think you have to be really stupid or really ignorant to intrepret it with any efficiency.

@Bjorg

The issue isn't the lock. The issue is that the 5th amendment of the US constitution provides for suspects to remain silent in order to avoid inadvertently incriminating themselves. Oddly enough this is nothing to do with guilt or innocence as such, and everything to do with the well known fact that the authorities can and, indeed, will twist anything you say into a case against you. It's in their interests to have you talking, because they can use anything you say in court against you.

A good video explanation from a lawyer can be found here: http://www.youtube.com/watch?v=6wXkI4t7nuc

In this case the self-incrimination would be quite simple. They're trying to compel him to hand over what amounts to a detailed description of everything he's ever done online, from which they can very easily construct a very powerful yet entirely circumstantial case against him. They may not have evidence of a crime, but with his harddrive contents the can establish motive, and probably find enough evidence to twist into a logical pretzel establishing presence or actions that would be construed as acting on motive.

In your example, they don't need to find a meth lab at your home. They just need to place you near the location of the meth lab when it was operating and find evidence of motive to operate one (which might be as simple as gettig you to admit that you like watching Breaking Bad), then they can get warrants to search your home, your place of business and everything else until they think they've found enough evidence to prosecute you.

Innocent until ...

.. only if he really is a kiddy fiddler.

Suppose you wanted to get into someone's hard drive because you thought he was doing something that Disney - er - the DMCA doesn't allow, or even keeping files on the misdeeds of a presidential candidate. You accuse him of paedophilia, get the keys to his hard drive(s) and go fishing for what you can find.

Re: I don't get it...

Re: I don't get it...

It is a principle of both UK and US law that no-one can be compelled to give evidence against themselves and it always has been.

The idea is that the prosecuting authorities should be able to make a ca,se that stands up on its own and so does not have to rely on a confession, which can be extorted or made up. It may seem unlikely that someone would confess to a crime they didn't commit except under duress, but there are plenty of examples of that happening. There are far more examples of false confessions being forced out of suspects.

This is a difficult area and I have to say that, on balance, I don't agree with the Supreme Court. The police aren't asking the suspect to incriminate himself but to facilitate the analysis of evidence. I don't think that is the same thing. It doesn't take a genius to work out why he refuses to divulge his passwords/encryption keys, but until he does, no-one will know for sure.

Re: I don't get it...

That's because you, like many people in this day and age, are assuming that the fifth amendment is in place to protect the guilty. It's not. It is there to protect the innocent. You can easily incriminate yourself without actually being guilty without such protection.

An example: someone you dislike very strongly was found dead in a bathroom in a bar. You happened to be at the bar at the time, but weren't involved. In the course of investigating, the police ask you how you felt about that person. Lying to a cop is a bad idea, and admitting you hated the guy puts you on a short list of suspects, so you plead the fifth (if you're smart).

The thing to remember about the American justice system is that it's built around the idea that it's better to let a guilty man go than to imprision an innocent one. That's why it sometimes seems like the criminals have more rights than the victims: a lot of the time they do.

@Anonymous Coward and lotus49

Once again it seems it's necessary to remind people of the principle of Presumption of Innocence.

Requring (or forcing) someone to incriminate themselves or even simply "facilitating the analysis of evidence" means that a suspect has to prove they have not committed a crime, rather than the authorities demonstrating that they *have* done so.

Re: Re: I don't get it...

@Sisk

No, I'm not presuming that someone is guilty at all. What I don't understand is how, when there is legitimate reason for investigation of a particular matter, someone can just clam up and say nothing. I understand why you wouldn't want to say something in a police interview, but I don't understand how someone is able to refuse to answer questions in court. I am of the understanding that in UK courts people can be compelled to answer questions by a judge.

Your example of refusing to answer a question to the Police when a hypothetical person is asked about their feelings about someone is a right-to-silence issue and not a right to not incriminate yourself of a crime.

Re: Re: I don't get it...

Suppose you felt your local council were fiddling the figures and screwing over local services. You compile evidence you've been able to get on their accounts, transactions etc. on your hard disk... The next day the council finds they've been defrauded in some way by someone using authorized credentials to get into their accounts and steal money. I would say that the 5th amendment would apply here.

As would it apply when it comes to a corrupt cop trying to get an arrest to look good and fakes evidence. Hard to fake evidence of a child porn image if the hard disk hasn't been decrypted yet.

As it would also apply in this situation: "We've found no child porn on your encrypted hard drive sir, but you're wife looks like she enjoyed Benidorm last year... is she always that horny?"

Re: Re: Re: I don't get it...

"I am of the understanding that in UK courts people can be compelled to answer questions by a judge."

I'm quite certain you're wrong, when it come to the accused. The principle against self-incrimination is rather strongly entrenched in various international legal treaties, notably in the European Convention on Human Rights, which I believe is binding in the UK.

Now *witnesses*, i.e., people who are not being accused themselves, can be compelled to speak, but that's not at issue here.

Re: @Anonymous Coward and lotus49

Re: Re: Re: I don't get it...

It should also be noted that -- at least in the Florida case -- the prosecution was trying to gather evidence to present to a Grand Jury, whose job it is to look at the evidence and see whether there is enough to warrant holding the accused over for trial. The (apparent) fact that the prosecution felt that they NEEDED whatever may have been on those hard drives in order to bring the case to trial implies that they really may not have had a very solid case at all and were going on a fishing expedition.

Once they had the drives in clear, there was, AFAIK, no limit to what they could look for -- they weren't limited to looking for child porn but could use anything they found (records of unreported freelance income, say) with which to pile added charges on. Too many prosecutors get ahead by following the policy attributed to Cardinal Richelieu: "Give me ten lines written by the most pious of men and *I* can find something with which to hang him!"

Re: Re: Re: I don't get it...

"but I don't understand how someone is able to refuse to answer questions in court"

Because it isn't your (the defendant's) responsibility to make the prosecutor's case - that's his job. He has to prove you did it - all you have to do is kick his case in the nads (presumption of innocence being the default position). At least in the US, you don't even have to testify in your own defense; if the prosecution can't prove the elements of the crime, you can flip them off and let them hang (now, in most cases, it is better to punch them in the legal gut a few times to make sure, but metaphorically-speaking, braining the DA isn't necessary).

Also, consider that what you do say is recorded. Admitting to one crime to get out of another still gets you dumped in the pokey. "I did not break into that shop because I was murdering a guy" is going to get one case dropped, and a whole 'nother one opened.

And one other wrinkle: if you have been granted immunity, you can't plead the 5th because you can't incriminate yourself (well, you can still be tried for the crime, theoretically, but anything resulting from your confession can't be used). You see this in organized crime cases, where you admit to doing something, and then point out you were doing for the boss, so they let the little fish skate to get the big fish - though you may or may not still be in jail, because they already have you one other things.

And if you want some sort of underlying principle, it is this: If you can be compelled to answer, the only thing stopping the prosecution from torturing you to get the answer he wants is the little angels - and those boys are notoriously known for their horrible track record. The way the government is kept honest is to make it work for what it gets - we've gotten more advanced than the Inquisition, thank you very much

Re: I don't get it...

Re: Re: I don't get it...

'This is a difficult area and I have to say that, on balance, I don't agree with the Supreme Court. The police aren't asking the suspect to incriminate himself but to facilitate the analysis of evidence. I don't think that is the same thing. It doesn't take a genius to work out why he refuses to divulge his passwords/encryption keys, but until he does, no-one will know for sure.'

What he's being asked to do is to give a key to his password creation method.

If I told you my password was 12345678, you now have an idea that I use numeric sequences. If I say it's abcdefgh, you know it's an alphabetic sequence. If I said it's 'imbtfol,po' you might be puzzled for... oh, however long it took you to identify the opening lines of a play, and then you'd know that's how I create passwords. That then gives you a starting point for breaking other passwords I might use.

That's why there's a difference between a key and a password.

You also mistake an encrypted drive as being evidence. It is not. It *might* contain evidence, but they don't *know* it does.They want to have a look, but he does not have to help them.

@tapanit

I believe you're correct: The courts can't compel the accused to give testimony in court. It is even advised in some cases for the accused not to speak.

However, as I understand it, if the accused breaks that silence, they can then be compelled to answer all questions asked. It's to do with 'telling the truth, the whole truth and nothing but the truth'...

Re: I don't get it...

Its not that difficult to understand. In America our 5th amendment says:

"No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation."

The key part in regards to this case and others is "nor shall be compelled in any criminal case to be a witness against himself," if the judge had required him to turn over the encryption password he would in essence be acting as a witness against himself. As far the analogy regarding safes and file cabinents the police can break into those without any help from the defendeant. However, without the encryption password it is very difficult if one is using strong enough encryption.

Re: I don't get it... Except........

Except of course, if your car has been photographed by a speed camera, you are then compelled to name the driver or face punishment as severe as for a speeding charge.

So if you are the driver you are forced to incriminate yourself by admitting that you were the driver rather than plod having to photograph you at the wheel of your car at the time.

So if you have a poor memory, and are the 'registered keeper' (what an odd phrase) of the car, you are done for either way.

I was horrified when I found this out as I always thought that the UK was the bastion of 'innocent until PROVEN guilty'. A bit like the DVLA automatically issuing a fine if their "infallible" data base shows you have failed to re-register your car by the due date.

Well yer honour, as it happens, at the time I was in intensive care following a stroke several weeks before. Too bad, yer busted.

SO?

Re: SO?

And will have the added benefit of boosting the data recovery industry who will make easy money from those who've taken this advice and forgot that their password was 1234 or one of the usual 100 or so standard ones. Unless of course they remembered to write it on a postit note and stick it to their screen.

Re: SO?

Hmm... I tend to go with the never encrypt anything, unless you've got good reason option. The consequences of loosing keys are too great for me. I also work on the opinion that if "The Man" wants my information badly enough, they'll have it without me knowing, encrypted or not.

Re: Re: SO?

Maybe The Man might, but unless you're an international terrorist or an independent MP, you need only worry about people who would be foiled by the most elementary precautions that you choose not to take.

Do you wear your seatbelt? Why's that? If you ran into a tanker an 100MPH which then exploded, you'd still die, right? So why do you take that precaution? Do you look before crossing the road? Why bother? If you got hit by an asteroid the size of Poland looking wouldn't have helped.

i wonder....

Re: i wonder....

Of course they would, although it would be easier on the authorities if the terrorist wasn't an american so that they couldn't plead the 5th, although I doubt that would stop the Homeland Terror Police from extracting it in Gitmo.

Re: Khaptain

Re: Re: Re: The law is there to protect us.

If they have done their homework then surely they have some evidence of his guilt that would then cause a Court to compel him to release the keys to the drive.

There is a subtle difference between "you have some encrypted disks, you must be a peadophile." and "We have evidence that you are a peadophile and believe that there is more evidence on those encrypted disks."

The fifth amendment is there to protect people from the former, the courts in the US have already provided the authorities with the powers for the latter.

The law isn't protecting kiddie fiddlers or terrorists, the law is protecting every American citizen.

Re: Re: Re: The law is there to protect us.

"This is a not a forced and signed confession, far from it. If the police have him held as a child abuse subject then we can presume that they have done their homework..."

Proving a suspect guilty is the issue here, rather than assuming he's guilty. As you are. Assuming you meant to say suspect rather than subject, which to me rather alters the meaning of what you said :)

Re: Re: Re: The law is there to protect us.

First of all, he is a SUSPECT, not a convict. Love how you have already tried and convicted him. Innocent until proven guilty, remember? If he HAD fidled your kid, as you claim, they wouldn't NEED the hard drive. Your kid could testify. That's the thing, they have to MAKE the case, not have him hand it to them.

Why will he not hand it? I personally can think of a lot of reasons that have nothing to do with him being guilty of anything myself.

Re: The law is there to protect us.

Despite the misleading headline on this article, he is not a "child abuse suspect". As far as I'm aware there is no suspicion that he "fiddled" and "kiddies", only that he shared some dodgy pictures (Apparently though YouTube somehow, oddly enough).

@Khaptain

Re: Re: Re: Re: The law is there to protect us.

@ bobbles31;

"If they have done their homework then surely they have some evidence of his guilt that would then cause a Court to compel him to release the keys to the drive."

Bwwwwwwhahahah! Don't make me laugh, I got raided and and everything computer related taken from me for 9 months because someone had given them a "tip off" that we were kiddy fiddlers. The officers doing the raid even stated "we don't have any internet logs or anything or we'd be arresting you right now", though they couldn't actually say "it's just a tip off" it was near as dammit implied.

Thankfully I'd already gotten rid of our backup tapes for the day so they couldn't go blagging me for the encryption keys to those, my boss would not have been best pleased had they taken them.

Don't get me wrong, I'd rather than over checked stuff and cleared me than skipping over stuff, they'd get far more of a pasting if they didn't respond to a tip off and later something happened.

However, I would have been happy to hand over the keys to the tapes, I know full well there's nothing dodgy on there. I would be very interested to know why they are even looking at this guy, do they have logs to show he has been accessing dodgy content? Or has someone he's pissed off decided this would be a good way to get a bit of easy revenge?

"There is a subtle difference between "you have some encrypted disks, you must be a peadophile." and "We have evidence that you are a peadophile and believe that there is more evidence on those encrypted disks.""